> On Apr 18, 2018, at 10:43 AM, Andy Polyakov <ap...@openssl.org> wrote:
>
> It can either be a probe just to see if it's reasonable to demand it, or
> establish a precedent that they can refer to saying "it was always like
> that, *your* application is broken, not ours." Also note that formally
> speaking you can't blame them for demanding it. But you can blame them
> for demanding it wrong. I mean they shouldn't try to communicate through
> OU of self-signed certificate, but by terminating connection with
> missing_extension alert, should they?
What I can blame them for is being counter-productively pedantic. Forget the
RFC language, does what they're doing make sense and improve security or is it
just a pointless downgrade justified by RFC text lawyering?
--
Viktor.
_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project
